b"            UN ITED STATES OF AM ERICA\n       FEDERAL TRADE COMMISSION\n             W ASH IN GTO N , D .C. 20580\n\n\n\n\nFEDERAL TRADE COMMISSION\n OFFICE OF INSPECTOR GENERAL\n\n\n\n\nSEMIANNUAL REPORT TO CONGRESS\n\n   April 1, 2007 - September 30, 2007\n\n\n\n                          Report #37\n\x0cO ffice of Inspector General\n                                              October 24, 2007\n\n\n\nThe Honorable Deborah Majoras\nChairman\nFederal Trade Commission\n600 Pennsylvania Avenue, N.W.\nWashington, D.C. 20580\n\nDear Chairman Majoras:\n\n        The attached report covers the Office of Inspector General's (OIG) activities for the first\nhalf of fiscal year 2007 and is submitted according to Section 5 of the Inspector General Act of\n1978, as amended.\n\n       During the six-month reporting period ending September 30, 2007, the OIG completed a\nreview of the FTC\xe2\x80\x99s Implementation of the Federal Information Security Act for FY 2006,\nissued Management Challenges for inclusion in the FTC\xe2\x80\x99s FY 2007 Performance and\nAccountability Report and issued an audit of the FTC\xe2\x80\x99s Consumer Response Center.\n\n        In addition, the OIG processed 42 consumer inquiries and complaints/allegations of\npossible wrongdoing during the period, opened four new investigations into wrongdoing and\nreferred one matter to the Department of Justice for prosecutorial consideration.\n\n       As in the past, management has been responsive in attempting to implement all OIG\nrecommendations. I appreciate management's support and I look forward to working with you in\nour ongoing efforts to promote economy and efficiency in agency programs.\n\n                                              Sincerely,\n\n\n\n                                              Howard L. Sribnick\n                                              Inspector General\n\x0c                                       INTRODUCTION\n\n        The Federal Trade Commission (FTC) seeks to ensure that the nation\xe2\x80\x99s markets are\ncompetitive, efficient and free from undue restrictions. The FTC also seeks to improve the\noperation of the marketplace by ending unfair and deceptive practices, with emphasis on those\npractices that might unreasonably restrict or inhibit the free exercise of informed choice by\nconsumers. The FTC relies on economic analysis to support its law enforcement efforts and to\ncontribute to the economic policy deliberations of Congress, the Executive Branch and the\npublic.\n\n        To aid the FTC in accomplishing its consumer protection and antitrust missions, the\nOffice of Inspector General (OIG) was provided five work years and a budget of $917,500 for\nfiscal year 2007.\n\n                                     AUDIT ACTIVITIES\n\n       During the six-month reporting period ending September 30, 2007, the OIG completed a\nreview of the FTC\xe2\x80\x99s Implementation of the Federal Information Security Act for FY 2006,\nissued Management Challenges for inclusion in the FTC\xe2\x80\x99s FY 2007 Performance and\nAccountability Report and issued an audit of the FTC\xe2\x80\x99s Consumer Response Center.\n\n         Detailed information regarding these audits and reviews completed during the reporting\nperiod is provided below.\n\n                                         Completed Audits\n\n        Audit Report Number                                     Subject of Audit\n\n               AR 07-003                     Audit of the Federal Trade Commission\xe2\x80\x99s\n                                             Consumer Response Center\n\n               AR 07-004                     The FTC\xe2\x80\x99s Implementation of the Federal Information\n                                             Security Act for FY 2007\n\n                 Summary of Audits and Reviews Issued During the Current Period\n\n        AR 07-003, Review of the FTC Consumer Response Center\n\n        The objective of our review was to evaluate pertinent policies and procedures regarding the\noperation of the Consumer Response Center, assess the kind of information obtained from\nconsumers, and determine how consumer complaints are categorized.\n\n\n\n       The CRC receives approximately 30,000 to 40,000 contacts per week from consumers, law\nenforcement agencies, and other consumer advocate groups. Approximately 10,000 to 12,000 of\n                                               -1-\n\x0cthose contacts are consumer complaints. Consumer complaints are entered into the Consumer\nInformation System database (CIS). In addition to FTC personnel, external agencies can enter\ncomplaints into CIS or provide complaints in bulk to the CRC for uploading into CIS.\n\n        Our review found that consumer complaints received by CRC and the call center contractor\nwere accurately entered into the Consumer Information System and Consumer Sentinel. However,\nwe found that not all complaints uploaded from external reporting agencies are correctly identified\nunder the appropriate product service code (PSC) in Consumer Sentinel. BCP advised that this\noccurred when the service codes used by outside entities, such as the Better Business Bureau, did\nnot match up with the codes used by the agency. BCP will attempt to address this issue in upcoming\nfollow-on call center contract.\n\n        AR 07-004, Review of Federal Trade Commission Implementation of the Federal\n       Information Security Management Act (FISMA) For Fiscal Year 2007\n\n                The objectives of the independent evaluation of the FTC information security\nprogram were to: (1) assess compliance with FISMA and related information security policies,\nprocedures, standards, and guidelines, (2) determine the effectiveness of information security\npolicies, procedures, and practices as implemented at Headquarters and the Western Regional Office\nin San Francisco, CA., (3) perform a network scan of the FTC Infrastructure network to identify\nvulnerabilities in the agency\xe2\x80\x99s security controls and patch management program, (4) assess FTC\xe2\x80\x99s\ngovernment equipment usage process, (5) assess FTC\xe2\x80\x99s disaster recovery and contingency planning\ncapability, and (6) evaluate security controls protecting FTC applications.\n\n        This years OIG review found that the FTC security environment is strong and robust and\ncontinues to evolve to expand its coverage and to address changing threats and requirements.\nFTC management recognizes that continued vigilance, and resource investment is required to\ncontinue to protect the data entrusted to its care and secure the availability and integrity of the\ninformation technology (IT) systems that are critical to the agency\xe2\x80\x99s ability to successfully\ncomplete its missions.\n\n         The FTC Office of Information Technology Management (ITM) is presently updating\nits security policies and procedures. This effort is integrated with its deployment of the FTC\nPrivacy Program. Integration of the FTC Information and Privacy programs will result in\nstronger protection than if the programs were established as independent efforts.\n\n         The OIG analysis of the current FTC security/privacy control environment identified 19\nfindings (13 assessed as LOW and 6 as MEDIUM severity) relative to Headquarters activities\nand 8 findings (4 assessed as LOW and 4 as MEDIUM severity) at the San Francisco Regional\nOffice. ITM has already initiated action that will mitigate all of the Headquarters and Regional\nOffice findings.\n\n\n\n        Other Activity\n\n\n\n                                               -2-\n\x0c        Other activity relating to that audit function of the OIG during this reporting period\nincluded revising the OIG Audit Manual to comply with July 2007 revisions to government audit\nstandards and participation in a peer review conducted by the Smithsonian Institution OIG.\n\n                                           Planned Audits\n\n\n        Audit Report Number                                  Subject of Review\n\n              AR 08-001                    Audit of the FTC\xe2\x80\x99s Financial Statements for\n                                           Fiscal Year 2007 The purpose of the audit is to\n                                           express an opinion on the financial statements of\n                                           the Federal Trade Commission for the fiscal year\n                                           ending September 30, 2007. The principal\n                                           statements to be audited include the (a) Balance\n                                           Sheet; (b) Statement of Net Cost; (c) Statement of\n                                           Changes in Net Position; (d) Statement of\n                                           Budgetary Resources; (e) Statement of Financing;\n                                           (f) Statement of Custodial Activity, and notes to the\n                                           financial statements. The OIG will also test the\n                                           internal controls associated with the movement of\n                                           transactions through the FTC\xe2\x80\x99s financial system and\n                                           assess compliance with selected laws and\n                                           regulations.\n\n                                           The OIG will follow guidance contained in OMB\n                                           Bulletin No. 01-02, Audit Requirements for Federal\n                                           Financial Statements, in performing this audit.\n\n                                           The audited financial statements are required to be\n                                           included in the financial section of the agency\xe2\x80\x99s\n                                           Performance and Accountability Report to be issued\n                                           on or before November 15, 2007.\n\n               AR 08-002                   Review of the Redress Administration Office\n                                           (RAO) Tracking of Judgements and Collections\n                                           in Bureau of Consumer Protection Cases\n\n                                           In the past, the OIG found that accounting and\n                                           reporting on judgments, collections and redress\n                                           distributions by the Bureau of Consumer Protection\n                                           Redress Office contained errors and omissions.\n\n                                           In response to these findings, the Bureau of Consumer\n                                           Protection has launched a new Redress/Enforcement\n                                           database that incorporates data about orders,\n                                           defendants, receivers, redress distributions, and other\n                                             -3-\n\x0c                                              financial data for redress matters. The OIG will\n                                              undertake a follow-up review of the tracking and\n                                              reporting of judgments and collections by the Redress\n                                              Office to assure that the goals of this important\n                                              management challenge are achieved.\n\n     Other Potential Reviews                  Because a new Audit Manager will be joining the\n                                              OIG at the end of October, 2007, the decision as to\n                                              what additional audits of agency programs should be\n                                              initiated is being deferred until this individual has an\n                                              opportunity to review the Audit Work Plan developed\n                                              by her predecessor.\n\n                                INVESTIGATIVE ACTIVITIES\n\n       The Inspector General is authorized by the IG Act to receive and investigate allegations of\nemployee misconduct as well as fraud, waste and abuse occurring within FTC programs and\noperations. Matters of possible wrongdoing are referred to the OIG in the form of allegations or\ncomplaints from a variety of sources, including FTC employees, other government agencies and the\ngeneral public. Reported incidents of possible fraud, waste and abuse can give rise to\nadministrative, civil or criminal investigations.\n\n        In conducting criminal investigations during the past several years, the OIG has sought\nassistance from, and worked jointly with, other law enforcement agencies, including other OIG\xe2\x80\x99s,\nthe Federal Bureau of Investigation, the U.S. Postal Inspection Service, the U.S. Secret Service, the\nU.S. Marshal\xe2\x80\x99s Service, the Internal Revenue Service, U.S. Capitol Police, Federal Protective\nService as well as state agencies and local police departments.\n\n                                     Investigative Summary\n\n        During this reporting period, the OIG received 42 consumer and other inquiries and reports\nof possible wrongdoing. Of the 42 complaints 17 involved issues that fall under the jurisdiction of\nFTC program components (identity theft, credit repair, etc.). These matters were referred to the\nappropriate FTC component for disposition. One complaint was referred to a state agency for\nappropriate action. Of the remaining complaints, the OIG opened four new investigations and\ntwenty complaints were closed with no further OIG action.\n\n\n\n\n      Following is a summary of the OIG's investigative activities for the six-month period ending\nSeptember 30, 2007:\n\n                              Cases pending as of 3/31/07               4\n\n                                                -4-\n\x0c                                PLUS: New cases                         4\n                                LESS: Cases closed                     (2)\n                              Cases pending as of 9/30/07               6\n\n\n                                         Investigations Closed\n\n        The OIG closed an investigation, opened during the prior reporting period, involving\nalleged unauthorized access to sensitive information in Lexis/Nexis databases by a former FTC\nstudent intern. The allegation stemmed from an internal audit conducted by the agency\xe2\x80\x99s Office\nof Information Technology Management. The audit revealed that a former FTC unpaid college\nstudent intern had accessed sensitive databases on Lexis/Nexis after his four-month internship\nwith the agency had ended. Because Lexis/Nexis had built-in safeguards, the former intern\ncould only the access names, addresses and partially-redacted social security numbers germane\nto his search queries.\n\n        The unauthorized access was possible because an FTC administrative officer failed to\nadhere to established agency procedures for \xe2\x80\x9cchecking out\xe2\x80\x9d employees (including unpaid\ninterns) who resign from the FTC. Our investigation uncovered no evidence that the procedural\nbreach was deliberate. Rather, the administrative officer did not believe that the routine check-\nout procedure (including obtaining signatures on the \xe2\x80\x9ccheck out\xe2\x80\x9d form from various\norganizations within the agency) applied to short-term unpaid interns. This procedural lapse\nprevented the organization within the agency that is responsible for terminating Lexis/Nexis\npassword authorizations from terminating the intern\xe2\x80\x99s authorization to the sensitive databases.\n\n        Throughout the OIG investigation, the OIG kept the agency\xe2\x80\x99s Chief Privacy Officer and\nbreach notification response team apprised of the progress of the investigation in order that\nnotifications to affected individuals could be made, if appropriate. Because no sensitive\npersonally identifiable information was disclosed as a result of the unauthorized access, the\nbreach notification response team determined that no individual notifications were necessary.\nBecause the former intern no longer worked for the agency and the administrative officer who\nfailed to adhere to procedures did so out of ignorance rather than an intent to violate regulation,\nthe matter was closed with no OIG referral. However, management was advised to assure\nadherence to \xe2\x80\x9cchecking out\xe2\x80\x9d procedures in the future.\n\n       The OIG also closed an investigation involving an employee\xe2\x80\x99s misuse of the agency\xe2\x80\x99s\ninformation technology resources. Our investigation revealed that a senior FTC attorney\nsubmitted a Freedom of Information Act request to a District of Columbia agency and had\nmultiple email exchanges with that DC agency while using his FTC email account. The\nemployee\xe2\x80\x99s conduct was found to have violated the agency\xe2\x80\x99s policy on appropriate use of\ninformation technology resources. The OIG transmitted an administrative referral to agency\nmanagement for appropriate action.\n\n                                Matters Referred for Prosecution\n\n       During this reporting period the OIG did not refer any new matters to the Department of\n                                              -5-\n\x0cJustice (DOJ) for consideration of potential criminal action. We consulted with DOJ regarding\nthe unauthorized access to Lexus-Nexus databases investigation described above. Both the OIG\nand DOJ agreed that a declination for prosecution was appropriate, based on the facts presented.\n\n       A matter referred to DOJ during the previous reporting period remains pending at DOJ,\nwith no final action to date.\n\n                                    OTHER ACTIVITIES\n\n                                    Management Advisories\n\n       The OIG issued no new Management Advisories during this reporting period.\n\n                              Significant Management Decisions\n\n        Section 5(a)(12) of the Inspector General Act requires that if the IG disagrees with any\nsignificant management decision, such disagreement must be reported in the semiannual report.\nFurther, Section 5(a)(11) of the Act requires that any decision by management to change its\nresponse to a significant resolved audit finding must also be disclosed in the semiannual report.\nFor this reporting period there were no significant final management decisions made with which\nthe OIG disagreed, and management did not revise any earlier decisions on OIG audit\nrecommendations.\n\n                                     Access to Information\n\n        The IG is to be provided with ready access to all agency records, information, or\nassistance when conducting an investigation or audit. Section 6(b)(2) of the IG Act requires the\nIG to report to the agency head, without delay, if the IG believes that access to required\ninformation, records or assistance has been unreasonably refused, or otherwise has not been\nprovided. A summary of each report submitted to the agency head in compliance with Section\n6(b)(2) must be provided in the semiannual report in accordance with Section 5(a)(5) of the Act.\n\n        During this reporting period, the OIG did not encounter any problems in obtaining\nassistance or access to agency records. Consequently, no report was issued by the IG to the\nagency head in accordance with Section 6(b)(2) of the IG Act.\n\n\n\n\n                                        Audit Resolution\n\n        As of the end of this reporting period, all OIG audit recommendations for reports issued\nin prior periods have been resolved. That is, management and the OIG have reached agreement\non what actions need to be taken.\n\n                                     Review of Legislation\n                                               -6-\n\x0c        Section 4(a)(2) of the IG Act authorizes the IG to review and comment on proposed\nlegislation or regulations relating to the agency or, upon request, affecting the operations of the\nOIG. During this reporting period, the OIG reviewed no legislation.\n\n                           Contacting the Office of Inspector General\n\n        Employees and the public are encouraged to contact the OIG regarding any incidents of\npossible fraud, waste, or abuse occurring within FTC programs and operations. The OIG\ntelephone number is (202) 326-2800. To report suspected wrongdoing, employees may also call\nthe OIG's investigator directly on (202) 326-2618. A confidential or anonymous message can be\nleft 24 hours a day. Complaints or allegations of fraud, waste or abuse can also be emailed\ndirectly to chogue@ftc.gov. OIG mail should be addressed to:\n\n\n                                      Federal Trade Commission\n                                      Office of Inspector General\n                                      Room NJ-1110\n                                      600 Pennsylvania Avenue, NW\n                                      Washington, D.C. 20580\n\n        OIG reports can be accessed via the internet at: www.ftc.gov/oig. A visitor to the OIG\nhome page can download recent (1996-2006) OIG semiannual reports to Congress, the FY 1998\n- 2006 financial statement audits, and other program and performance audits issued beginning in\nFY 1999. A list of audit reports issued prior to FY 1999 can also be ordered via an e-mail link to\nthe OIG. In addition to this information resource about the OIG, visitors are also provided a link\nto other federal organizations and Office of Inspectors General.\n\n\n\n\n                                                -7-\n\x0cTABLE I               SUMMARY OF INSPECTOR GENERAL\n                         REPORTING REQUIREMENTS\n\n   IG Act\n Reference                      Reporting Requirement                            Page(s)\n\nSection 4(a)(2)       Review of legislation and regulations                         7\n\nSection 5(a)(l) Significant problems, abuses and deficiencies              1-2\n\nSection 5(a)(2)       Recommendations with respect to significant\n                      problems, abuses and deficiencies                             1-2\n\nSection 5(a)(3)       Prior significant recommendations on which\n                      corrective actions have not been made                         7\n\nSection 5(a)(4)       Matters referred to prosecutive authorities                   6\n\nSection 5(a)(5)       Summary of instances where information was refused            6\n\nSection 5(a)(6)       List of audit reports by subject matter, showing dollar\n                      value of questioned costs and funds put to better use 9-10\n\nSection 5(a)(7)       Summary of each particularly significant report               1 -2\n\nSection 5(a)(8)       Statistical tables showing number of reports and\n                      dollar value of questioned costs                              9\n\nSection 5(a)(9)       Statistical tables showing number of reports and dollar\n                      value of recommendations that funds be put to better use      10\n\nSection 5(a)(10)      Summary of each audit issued before this reporting\n                      period for which no management decision was made\n                      by the end of the reporting period                            7\n\nSection 5(a)(11)      Significant revised management decisions                      6\n\nSection 5(a)(12)      Significant management decisions with which\n                      the Inspector General disagrees                               6\n\n\n\n\n                                               -8-\n\x0c                               TABLE II\n                   INSPECTOR GENERAL ISSUED REPORTS\n                        WITH QUESTIONED COSTS\n\n\n\n                                                                       Dollar Value\n\n                                                               Questioned     Unsupported\n                                                      Number     Costs            Costs\n\n\nA.   For which no management decision has\n     been made by the commencement of the\n     reporting period                                   0          0          (       0   )\n\nB.   Which were issued during the reporting\n     period                                             0          0          (       0   )\n\n     Subtotals (A + B)                                  0          0          (       0   )\n\nC.   For which a management decision was\n     made during the reporting period                   0          0          (       0   )\n\n     (i) dollar value of disallowed costs               0          0          (       0   )\n\n     (ii) dollar value of cost not disallowed           0          0          (       0   )\n\nD.   For which no management decision was\n     made by the end of the reporting period            0          0          (       0   )\n\n     Reports for which no management\n     decision was made within six months of\n     issuance                                           0          0          (       0   )\n\n\n\n\n                                                -9-\n\x0c                                       TABLE III\n\n         INSPECTOR GENERAL ISSUED REPORTS\nWITH RECOMMENDATIONS THAT FUNDS BE PUT TO BETTER USE\n\n\n                                                          Number   Dollar Value\nA.   For which no management decision has been made\n     by the commencement of the reporting period            0           0\n\n\nB    Which were issued during this reporting period         0           0\n\n\nC.   For which a management decision was made during\n     the reporting period                                   0           0\n\n     (i) dollar value of recommendations that were\n     agreed to by management                                0           0\n\n     - based on proposed management action                  0           0\n\n     - based on proposed legislative action                 0           0\n\n     (ii) dollar value of recommendations that were not\n     agreed to by management                                0           0\n\n\nD.   For which no management decision has been made\n     by the end of the reporting period                     0           0\n\n     Reports for which no management decision was\n     made within six months of issuance                     0           0\n\n\n\n\n                                              - 10 -\n\x0c"